Page 5 of 10 FirstFirst ... 34567 ... LastLast
Results 41 to 50 of 99

Thread: OT: password protection

  1. #41
    Join Date
    Jun 2001
    Location
    North Central Texas
    Posts
    2,470

    Default

    Things have really been tough lately. I had my identity stolen...

    And my credit rating went up!
    Bad-um-ching


    I don't have to worry about passwords too terribly much, but y'all gave me some good ideas for passwords that will be easy to remember.

    1018-CRS, 4140*CroMo, 7075-T6Al or 12L14/Lead, for example.

  2. #42
    Join Date
    Jan 2004
    Location
    Missouri
    Posts
    30,078

    Default

    Quote Originally Posted by danlb View Post
    .....

    When possible, don't use the same password for a large number of systems. It's just a bad thing to do if you are at all concerned with security.

    Dan
    Preachy, preachey..... That makes no difference. The systems would need to be important.

    But you missed the point of there being "junk passwords" for unimportant sites..... What difference does it make if someone had passwords for this site? NONE.... they could post pretending to be you.... that's about it.

    Now, if someone was such a blame fool as to use the same password for 3 banks, their credit union, and their stockbroker, THEN you would have a point that was worth making.

    But there is simply no point in remembering a decent security gibberish password for each different forum one belongs to. Just trash cluttering the mind.

    Besides..... there are LISTS of common passwords out on the net.... published by, of all things, security folks. These are passwords KNOWN to be used. Thousands or tens of thousands of them. It's not as if hackers really need YOUR particular password.

    Plus, all a password is, is a set of numeric codes. If there are giibberish passwords, then a brute force attack simply going through all the possibilities is as good as anything else. At the quoted 40,000,000 tests per second, it should not take that long to find numerous passwords.

    Finally, at the end of the day, there are many sites that use feather-brained systems.... it is not uncommon to find a site that REQUIRES a password to be no longer than 6 characters (sometimes 8), and allows ONLY lower case letters and numbers, no punctuation, etc. Every single one of those can be tested in under 10 minutes..... what's even the point of having them? (I have been a member of at least three such)
    Last edited by J Tiers; 01-09-2019 at 09:35 PM.
    1601

    Keep eye on ball.
    Hashim Khan

  3. #43
    Join Date
    Nov 2008
    Location
    SF East Bay.
    Posts
    6,169

    Default

    Quote Originally Posted by J Tiers View Post
    Preachy, preachey..... That makes no difference. The systems would need to be important.

    But you missed the point of there being "junk passwords" for unimportant sites..... What difference does it make if someone had passwords for this site?)
    Well, since you ask... I suggest that you read post #36. It explains how exploiting sites often start by finding an unimportant account with a known password. This lets them leverage the internal flaws that are only accessible to a person logged into the system. Even a low level, worthless account like J_Tiers here on HSM might be used for a toe hold to gain more privileged access. Those accounts are quite useful!

    The most common security problem I ran into when auditing systems was the belief among system admins and programmers that firewalls will protect a system from external attack. That leads to allowing sloppy internal security since they feel that they can trust their users not to exploit flaws.
    Measure twice. Cut once. Weld. Repeat.
    ( Welding solves many problems.)

  4. #44
    Join Date
    Jan 2013
    Location
    Michigan
    Posts
    1,539

    Default

    Quote Originally Posted by AD5MB View Post
    a little assistance for those who don't quite get it:

    you hack the password file, as noted above

    you get the code which turns the password into gobbledegook

    you throw every variation you can think of at it, and record them all

    if anyone anywhere ever used "abc123" as as password, you have that hashed password in your list.

    you don't have to crack individual passwords. you just have to compare what you find in the password list files with the billion or so already cracked passwords. if anyone anywhere ever used it, it's already cracked. no skill, no programing, just compare lists
    Are you not familiar with password salting?

  5. #45
    Join Date
    Nov 2008
    Location
    SF East Bay.
    Posts
    6,169

    Default

    Salting goes way back. You add a random string to the password before encrypting so that two encryptions of the same password will have different hashes. It makes it more difficult to use dictionaries of previously cracked hashes. But they do not make it impossible. Obviously the salts have to be stored somewhere with some association to the password for which it's used.

    Salts are not a cure all. They simply make part of the password cracking more expensive.
    Measure twice. Cut once. Weld. Repeat.
    ( Welding solves many problems.)

  6. #46
    Join Date
    Jan 2013
    Location
    Michigan
    Posts
    1,539

    Default

    Quote Originally Posted by danlb View Post
    Salts are not a cure all. They simply make part of the password cracking more expensive.
    To not mention them while "explaining" this suggests a profoundly incomplete response and lack of basic crypto knowledge.

  7. #47
    Join Date
    Nov 2008
    Location
    SF East Bay.
    Posts
    6,169

    Default

    There are a hundred nuances that are not being explained here. It's the wrong audience for it. AD5MB did a decent explanation for the layman.
    Measure twice. Cut once. Weld. Repeat.
    ( Welding solves many problems.)

  8. #48
    Join Date
    Jan 2004
    Location
    Missouri
    Posts
    30,078

    Default

    It is the HSM site's lookout as far as passwords and access to higher levels. Same for any other site... if you give folks access to higher levels, shame on you. You are certainly not going to get into any bank accounts with any shared passwords of mine.... they are for the junk sites like this. But have at it..... by all means go for it, waste your time.

    But I suspect VP have little to worry about, as there is not much use even in gaining access to the entire VP computer system. It does not compare with gaining access to the equifax system, or mastercard, or any of the hundreds of other large scale hacks that have occurred. There is not much point to spending time on it.
    .
    .

    BUT, the password system is fundamentally flawed to begin with. it is designed to fail. And to fail in a way that can easily be blamed on the user, never on the admins.

    Here you have a system in which obtaining one thing allows potential access to the entire system, and certainly allows access to the level the password holder has access to.

    The "thing" in question must be always presented when requesting access, but it must be remembered, never noted down.

    Simultaneously, it must be something that is inherently difficult to remember.

    And, you are supposed to change it on a regular basis.

    People may have perhaps a dozen or more of these ever-changing gibberish passwords, each of which they must remember, and then forget and remember a new one, and then repeat that.

    That simply means some proportion of people will simply write all of them down, possibly in a computer text file, each password neatly associated with its site. Of those who DO NOT write them down, many will trust it to a "password keeping program", which evidently is considered un-hackable, possibly kept locally, possibly out in the "cloud" (raising another level of insecurity).

    And some proportion of those people will respond to a phishing email and just hand over their passwords free of charge.

    A smart thing to do would be to crack the password keeper program, and then just infect computers with a program that will collect the passwords and the associated sites. Now sort out the trash and keep the useful items.

    So... All this hassle, and Passwords are just plain insecure. You get hold of one file, which has been done hundreds of times, and you are potentially "in".

    You can think up all the odd combinations of symbols to use in a password that you care to, and the computer does not care.... they are just numeric information. All those do is to make it harder for a pencil and paper worker to identify. But pencil and paper is not used in hacking any more.

    What that all means is that to stay sane and reasonably secure, you just use one password for ALL the low level junk sites. Maybe you vary something easy between them, if you care. Nobody is going to go after those sites, there is nothing there. And there is no reason to treat those the same way you treat your bank account (assuming you do on-line banking, which is a choice you do not have to choose).

    The two-factor systems that I have used have been a problem. They do not seem to be fundamentally different from a two level password system. That would be potentially more secure if the two systems are isolated from each other, with a forced second username and second password. A hacker would need both. But one I used to use evidently became garbled, so that my second piece of information, which I know was correct, was rejected.... I got in without it, because "everyone was having trouble with it" and I talked my way through the help folks. Those are still rare, and if done right just add to the hassles by requiring a second comm path PLUS a second password type input.

    Using fingerprints, etc just turns the person into the "key". Now you must steal the person, and not just a small key. Not very hard to do, but harder to get rid of the body than the key, afterward. And kinda tough on the victim.

    Save your fancy-pants passwords for sites that are important.... your bank, and that sort of thing. That should keep even danlb happy.
    Last edited by J Tiers; 01-10-2019 at 02:07 AM.
    1601

    Keep eye on ball.
    Hashim Khan

  9. #49
    Join Date
    Sep 2006
    Location
    Southwestern Ontario, Canada
    Posts
    5,138

    Default

    Quote Originally Posted by J Tiers View Post

    Using fingerprints, etc just turns the person into the "key". Now you must steal the person, and not just a small key. Not very hard to do, but harder to get rid of the body than the key, afterward. And kinda tough on the victim.
    Biometric scanning will not be secure for long if it is used for web access. Biometric data is just that date. It has to be stored in a file which has to be accessible in the same manner that passwords are for the security programs to work. Just numbers that can be hacked like any other data that can be used by some smart miscreant to do the dark lords evil deeds. All hail the dark lord (best to get on his/her/it's good side).
    The shortest distance between two points is a circle of infinite diameter.

    Bluewater Model Engineering Society at https://sites.google.com/site/bluewatermes/

  10. #50
    Join Date
    Jan 2013
    Location
    Michigan
    Posts
    1,539

    Default

    Quote Originally Posted by danlb View Post
    There are a hundred nuances that are not being explained here. It's the wrong audience for it. AD5MB did a decent explanation for the layman.
    Agree. You expect sites are using salting but some are still using plaintext.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •